A new wave of Ivanti Endpoint Manager Mobile (EPMM) exploitation has emerged, but with a twist. Rather than deploying traditional webshells for immediate access, attackers are planting dormant Java class loaders that remain inactive until triggered. This campaign began on February 4th, 2026, targeting organizations across multiple sectors with a more deliberate approach than previous mass exploitation attempts.

The vulnerabilities CVE-2026-1281 and CVE-2026-1340 enable unauthenticated remote code execution through authentication bypass flaws in the aftstore and appstore packages respectively. While Ivanti published patching guidance, exploitation followed rapidly. What makes this campaign notable is the payload: a Base64-encoded Java class file deployed to `/mifs/403.jsp` that functions as an in-memory class loader rather than an interactive backdoor. The loader uses `equals(Object)` as its entry point to avoid security tooling detection and supports multiple servlet environments through fallback logic.

The dormant nature of these implants suggests initial access broker (IAB) tradecraft - establish footholds now, activate or sell access later. No follow-on exploitation has been observed yet, but the absence of activity doesn't indicate safety. The loader gathers host fingerprinting data including OS details and filesystem paths, passing this to potential second-stage classes. Organizations running Ivanti EPMM should treat any related activity as evidence of compromise, patch immediately, restart servers to flush memory implants, and monitor logs for the specific indicators detailed in the analysis.

Quick Fact: The campaign deployed payloads to `/mifs/403.jsp` across multiple victim organizations starting February 4th, 2026.